Blog – January 05, 2026
Beyond the IP: Mastering Precision Security with Domain Inspection & Control
In the early days of network security, blocking a “bad” IP address was often enough to keep a network safe without negatively impacting business operations. Today, the landscape is far more complex. Between Content Delivery Networks (CDNs), shared hosting, and the rise of encrypted traffic (TLS/QUIC), a single IP address might host thousands of different domains, some perfectly safe, others malicious.
To give you the granular control required for modern threats, it’s important to understand Domain Inspection and Control (as denoted in threatER Enforce).
Why Domain Control Matters
Traditional firewalls often suffer from “over-blocking.” If a malicious site shares an IP with a legitimate business service, blocking the IP protects you but breaks your workflow.
By inspecting the Host header in HTTP or the SNI (Server Name Indication) in encrypted TLS and QUIC connections, Enforce sees the specific destination a user is trying to reach. This allows you to:
- Enforce Policy with Precision: Block the specific “bad” domain while allowing traffic to “good” domains on the same IP.
- Mitigate Shadow IT: Identify and restrict access to unauthorized applications that use standard web ports.
- Secure Encrypted Traffic: Gain visibility into encrypted connections without the overhead of full SSL decryption.
Understanding the “Verdict” Logic
When you enable Domain Inspection, you can choose how Enforce balances IP-based rules with Domain-based rules. Choosing the right Domain Inspection Type is key to your strategy:
| Inspection Type | Behavior |
| Prefer IP | Follows the IP verdict first. If the IP is blocked, the connection is dropped regardless of the domain. |
| Prefer Domain | Domain rules take precedence. A connection to a blocked IP will not be blocked unless the domain is also on a “Block” list. |
| Prefer Both | The most restrictive: A connection will only be allowed if the IP is on an “Allow” list or if neither the IP nor the Domain are on a “Block” list. |
| Explicit | Uses a specific logic hierarchy to ensure that if a domain is explicitly blocked, no IP-level “allow” can override it. |
Highlight: DNS Hygiene & Security
Domain control isn’t just about web traffic; it’s about the foundation of the internet: DNS. threatER includes three critical tools to harden your DNS environment:
- Authorized DNS Resolvers: Prevent “DNS Leaking” or shadow DNS settings. You can now specify up to 10 authorized DNS servers. Any request sent to an unauthorized resolver will be automatically blocked.
- Observed DNS Resolvers: This is a powerful diagnostic tool. Enforce tracks all unique DNS connections, allowing you to identify misconfigured devices or potential malware (like command-and-control beacons) attempting to use unauthorized DNS paths.
- DNS Answer IPs: Instead of a simple “Connection Refused,” you can now configure up to 4 specific IPs to be returned when a DNS query is blocked, allowing you to redirect users to a custom “Access Denied” landing page.
Implementation Best Practices
To get started with Domain Inspection, navigate to Enforce > Networks and enter the Network Wizard.
Pro Tip: Performance Optimization
While the performance impact of domain inspection is negligible in most environments, it’s best practice to limit inspection to necessary ports (typically TCP 80, TCP 443, and UDP 443). If you have high-volume networks, ensure your Enforcer hardware is sized correctly for the additional inspection load.
Visibility in the Logs
When Domain Inspection is active, your logs will provide deeper context. You will see a new reason code: DOMAIN INSPECT. Because Enforce needs to “see” the domain name, it allows the first few packets (usually up to 5) to pass before making a final verdict. If a connection is ultimately blocked based on the domain, your logs will clearly show the IP Verdict, the Domain Verdict, and the Type of traffic detected.
Ready to take control of your network’s domain traffic? Log into the Portal today to configure your Authorized Resolvers and enable Domain Inspection on your primary networks.